umbral | Pass 8864[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Pass 8864.zip
Size

4.7MB
MD5

0178e791918b66c56ac8359005ebb979
SHA1

bcc3b8045526f713e8ccefaa1050ab8fdaf53a45
SHA256

2592ac7a76bc435a210d3646794abf0a654937d0ce6553ebc14982480a169433
SHA512

1dd950696d69a59fc944d8a809390dc352a13338e0e5cf81e1e274b0e04c6858cb877cb4da2c358329e017f9e2b33981611e806075cb3e1f8e3149b47a6d1bde
SSDEEP

98304:RlBiFzdYGiwC+zNIfwvilltOrnmeZ0ARLuq6ZIfPHUXeH4gdkYlfnCeK60Usv:RI/ir2vr6CuF1X2Rdk4hKI4

Score

10^/10

umbral

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1320456077468368906/F7rw766V_H8a2Z__0yhCNo12vx-Ia2NeCg2Ds_H44T5Cf5iiyVYLb09YSN1sfOYJwp1p

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
static1/unpack001/Pass 8864/Argon/Argon.exe	family_umbral

Umbral family
umbral

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
static1/unpack001/Pass 8864/Argon/bin/Atlantis.dll	embeds_openssl

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Pass 8864/Argon/Argon.exe
unpack001/Pass 8864/Argon/bin/Atlantis.dll
unpack001/Pass 8864/Argon/bin/oRniz4vtL94l.exe

Files

Pass 8864.zip
.zip

Password: 8864
Pass 8864/Argon/Argon.exe
.exe windows:4 windows x86 arch:x86

Password: 8864

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/Microsoft.Web.WebView2.Core.dll
.dll windows:4 windows x86 arch:x86

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:fe:6b:ce:da:d6:c8:03:03:a3:00:00:00:00:03:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/08/2024, 19:26

Not After

20/08/2025, 19:26

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

df:66:06:45:15:07:29:35:da:5f:7c:a3:94:98:40:6d:58:1a:dd:28:f0:b9:1a:cf:0b:c2:e9:86:37:c3:d8:42
Signer

Actual PE Digest

df:66:06:45:15:07:29:35:da:5f:7c:a3:94:98:40:6d:58:1a:dd:28:f0:b9:1a:cf:0b:c2:e9:86:37:c3:d8:42

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 577KB - Virtual size: 577KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/Microsoft.Web.WebView2.WinForms.dll
.dll windows:4 windows x86 arch:x86

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:fd:36:44:39:73:0d:dc:02:28:00:00:00:00:03:fd
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/08/2024, 19:26

Not After

20/08/2025, 19:26

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

de:4d:1c:f8:54:d7:85:23:84:36:b4:27:41:b1:40:9e:36:a9:21:96:5a:dd:18:e4:8d:6e:2f:7a:15:c5:e9:cf
Signer

Actual PE Digest

de:4d:1c:f8:54:d7:85:23:84:36:b4:27:41:b1:40:9e:36:a9:21:96:5a:dd:18:e4:8d:6e:2f:7a:15:c5:e9:cf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\Release Stable APIs\net462\Microsoft.Web.WebView2.WinForms.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/Microsoft.Web.WebView2.Wpf.dll
.dll windows:4 windows x86 arch:x86

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:fe:6b:ce:da:d6:c8:03:03:a3:00:00:00:00:03:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/08/2024, 19:26

Not After

20/08/2025, 19:26

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:f1:25:f8:36:e0:4d:e9:31:22:51:61:0e:7e:4f:88:45:f2:f4:19:fe:a8:10:cd:07:f3:50:ff:ab:5b:1c:3f
Signer

Actual PE Digest

03:f1:25:f8:36:e0:4d:e9:31:22:51:61:0e:7e:4f:88:45:f2:f4:19:fe:a8:10:cd:07:f3:50:ff:ab:5b:1c:3f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\Release Stable APIs\net462\Microsoft.Web.WebView2.Wpf.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/Newtonsoft.Json.dll
.dll windows:4 windows x86 arch:x86

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

06:ce:e1:31:be:6d:55:c8:07:f7:c0:c7:fb:44:e6:20
Certificate

Issuer

CN=DigiCert CS RSA4096 Root G5,O=DigiCert\, Inc.,C=US

Not Before

15/01/2021, 00:00

Not After

14/01/2046, 23:59

Subject

CN=DigiCert CS RSA4096 Root G5,O=DigiCert\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:de:32:e9:50:9b:44:aa:34:b1:da:f1:bc:0e:c8:73
Certificate

Issuer

CN=DigiCert CS RSA4096 Root G5,O=DigiCert\, Inc.,C=US

Not Before

15/07/2021, 00:00

Not After

14/07/2031, 23:59

Subject

CN=.NET Foundation Projects Code Signing CA2,O=.NET Foundation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:d1:40:7a:5a:bd:ed:43:d5:c1:73:12:1d:38:c5:29
Certificate

Issuer

CN=.NET Foundation Projects Code Signing CA2,O=.NET Foundation,C=US

Not Before

13/08/2021, 00:00

Not After

29/10/2024, 23:59

Subject

SERIALNUMBER=603 389 068,CN=Json.NET (.NET Foundation),O=Json.NET (.NET Foundation),L=Redmond,ST=Washington,C=US,1.3.6.1.4.1.311.60.2.1.2=#130a57617368696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

38:27:11:d0:35:02:fc:58:64:ae:1e:6c:cb:c5:eb:67:eb:5d:dc:c8:86:9e:e4:59:cc:0d:02:0e:5f:d1:fc:9b
Signer

Actual PE Digest

38:27:11:d0:35:02:fc:58:64:ae:1e:6c:cb:c5:eb:67:eb:5d:dc:c8:86:9e:e4:59:cc:0d:02:0e:5f:d1:fc:9b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

/_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 681KB - Virtual size: 680KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/README.txt
Pass 8864/Argon/bin/Atlantis.dll
.dll windows:6 windows x64 arch:x64

Password: 8864

bf8f9826b858c6dfc6b13e73a737a2d5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ws2_32

htons
closesocket
select
getaddrinfo
send
socket
connect
recv
freeaddrinfo
ioctlsocket
setsockopt
WSAIoctl
WSAResetEvent
gethostname
ntohs
getpeername
shutdown
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
htonl
gethostbyname
getsockopt
recvfrom
sendto
accept
listen
WSACleanup
__WSAFDIsSet
WSACloseEvent
WSACreateEvent
WSASetLastError
inet_pton
WSAStartup
WSAEventSelect
WSAWaitForMultipleEvents
inet_ntop
WSAEnumNetworkEvents
bind
inet_addr
getsockname
WSAGetLastError

crypt32

CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertGetCertificateChain
CertFreeCertificateChain
CertOpenSystemStoreW
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

advapi32

CryptEncrypt
CryptHashData
CryptGetHashParam
CryptImportKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
GetCurrentHwProfileA

user32

EmptyClipboard
CloseClipboard
OpenClipboard
GetClipboardData
GetAsyncKeyState
SetClipboardData
GetClientRect
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
keybd_event
CallNextHookEx
GetSystemMetrics
MapVirtualKeyA
mouse_event
FindWindowA
ClientToScreen
GetForegroundWindow

kernel32

HeapReAlloc
GetTimeZoneInformation
SetStdHandle
SetEndOfFile
IsValidCodePage
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
DeleteFileW
HeapAlloc
FreeLibraryAndExitThread
ExitThread
CreateThread
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
RtlUnwindEx
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
GetStringTypeW
GetCPInfo
LCMapStringEx
DecodePointer
EncodePointer
GetFileInformationByHandleEx
CopyFileW
AreFileApisANSI
SetFileInformationByHandle
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesExW
FindFirstFileExW
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
GetModuleHandleA
QueryPerformanceFrequency
QueryPerformanceCounter
HeapSize
GetProcAddress
FormatMessageA
MultiByteToWideChar
GlobalAlloc
FlushFileBuffers
WideCharToMultiByte
HeapFree
LoadLibraryA
VerSetConditionMask
FreeLibrary
SetEvent
CloseHandle
ResetEvent
CreateEventA
RaiseException
ReadFile
EnterCriticalSection
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
GetCurrentThreadId
Sleep
GetStdHandle
GetFileType
WriteFile
GetLastError
GetModuleHandleW
RtlVirtualUnwind
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemDirectoryA
GetModuleHandleExW
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentVariableW
VirtualProtect
VirtualFree
GetACP
DeleteCriticalSection
ReleaseSemaphore
WaitForSingleObject
GetExitCodeThread
CreateSemaphoreA
LoadLibraryW
GetSystemTime
RtlUnwind
FindClose
FindFirstFileW
FindNextFileW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
LocalFree
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetDriveTypeW
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
FreeLibraryWhenCallbackReturns
IsProcessorFeaturePresent
RtlPcToFileHeader
SleepConditionVariableSRW
GetConsoleOutputCP
SetFilePointerEx
FileTimeToSystemTime
SetConsoleCtrlHandler
SystemTimeToTzSpecificLocalTime
GlobalLock
ExitProcess
TryAcquireSRWLockExclusive
InitOnceBeginInitialize
InitOnceComplete
WakeAllConditionVariable
WakeConditionVariable
GetFileSizeEx
CreateFileW
WaitForSingleObjectEx
WaitForMultipleObjects
PeekNamedPipe
VerifyVersionInfoW
MoveFileExW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GlobalUnlock
GetLocaleInfoW
WriteConsoleW
GetCurrentProcess
SystemTimeToFileTime
SleepEx
InitializeCriticalSectionEx
GetSystemDirectoryW
GetEnvironmentVariableA
GetTickCount
FormatMessageW

oleaut32

VariantClear

bcrypt

BCryptGenRandom

Exports

Exports

NextHook

Sections

.text
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 45KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 177KB - Virtual size: 176KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.fptable
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/bin/oRniz4vtL94l.exe
.exe windows:6 windows x64 arch:x64

Password: 8864

0da3c06954c8ac39d27318a7230553f5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SleepEx
VerSetConditionMask
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
ReadFile
GetFileType
GetStdHandle
GetCurrentProcessId
WaitForSingleObjectEx
MoveFileExA
FormatMessageW
SetLastError
Sleep
GetEnvironmentVariableA
WideCharToMultiByte
GetLastError
FreeLibrary
GetSystemDirectoryA
WaitForMultipleObjects
CreateEventA
WaitForSingleObject
SetEvent
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
GetTickCount
QueryPerformanceCounter
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetProcAddress
VirtualProtectEx
CloseHandle
Process32Next
LoadLibraryA
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
MultiByteToWideChar
WriteFile
GetModuleHandleW
GetEnvironmentVariableW
InitializeSRWLock
ReleaseSRWLockShared
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
VirtualFree
GetACP
InitializeCriticalSection
ReleaseSemaphore
GetExitCodeThread
CreateSemaphoreA
FormatMessageA
GetSystemTimeAsFileTime
LoadLibraryW
GetSystemTime
SystemTimeToFileTime
Process32First
RtlVirtualUnwind
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
FindClose
FindFirstFileW
FindNextFileW
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
LocalFree
Module32Next
LoadLibraryExA
WriteProcessMemory
PeekNamedPipe

user32

MessageBoxW
GetUserObjectInformationW
PostThreadMessageA
GetWindowThreadProcessId
EnumWindows
SetWindowsHookExA
GetProcessWindowStation

advapi32

CryptSetHashParam
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptEnumProvidersW
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptAcquireContextW
CryptEncrypt
CryptSignHashW
CryptDecrypt
CryptGenRandom
CryptGetProvParam
CryptGetUserKey
CryptExportKey

oleaut32

VariantClear

msvcp140

?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
?good@ios_base@std@@QEBA_NXZ

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
memcmp
strrchr
memchr
__std_exception_destroy
__current_exception
__std_terminate
_CxxThrowException
__C_specific_handler
wcsstr
strstr
strchr
memset
memcpy
__std_exception_copy
memmove

api-ms-win-crt-heap-l1-1-0

realloc
free
malloc
calloc
_set_new_mode
_callnewh

api-ms-win-crt-runtime-l1-1-0

_initterm
_set_app_type
_seh_filter_exe
_initterm_e
signal
_beginthreadex
__p___argc
__p___argv
_cexit
_c_exit
__sys_nerr
__sys_errlist
_configure_narrow_argv
_exit
_initialize_onexit_table
strerror_s
raise
_register_onexit_function
_invalid_parameter_noinfo_noreturn
exit
_crt_atexit
terminate
_errno
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_get_initial_narrow_environment

api-ms-win-crt-string-l1-1-0

_strdup
strcspn
strcat_s
strcpy_s
strncpy
strncmp
strcmp
strspn
tolower
strncpy_s
isdigit
strpbrk
isspace

api-ms-win-crt-stdio-l1-1-0

ftell
fseek
__stdio_common_vfprintf
__acrt_iob_func
fputs
ferror
_fileno
_fseeki64
fread
setvbuf
fwrite
__stdio_common_vswprintf
feof
__stdio_common_vsprintf_s
fclose
fflush
fputc
_setmode
_wfopen
_set_fmode
__p__commode
__stdio_common_vsscanf
_read
fopen
_open
fgets
_write
__stdio_common_vsprintf
_close
_lseeki64

api-ms-win-crt-filesystem-l1-1-0

_unlink
_stat64
_fstat64
_access
_stat64i32

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

_gmtime64
strftime
_time64
_gmtime64_s

api-ms-win-crt-convert-l1-1-0

wcstombs
atoi
strtoul
strtol
strtoll

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-math-l1-1-0

_fdopen
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

ws2_32

inet_addr
gethostbyaddr
getservbyport
gethostbyname
getservbyname
shutdown
inet_ntoa
gethostname
ioctlsocket
getpeername
sendto
getsockopt
send
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
closesocket
WSASetLastError
WSAGetLastError
ntohs
WSAStartup
WSACleanup
setsockopt
WSAIoctl
htons
socket
__WSAFDIsSet
select
accept
bind
connect
getsockname
htonl
listen
recv
getaddrinfo
freeaddrinfo
recvfrom

wldap32

ord27
ord26
ord22
ord41
ord50
ord32
ord79
ord211
ord46
ord217
ord143
ord45
ord35
ord60
ord33
ord30
ord200
ord301

normaliz

IdnToAscii
IdnToUnicode

crypt32

CryptStringToBinaryA
CertFreeCertificateContext
PFXImportCertStore
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertOpenSystemStoreW
CertAddCertificateContextToStore
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertFindExtension
CryptDecodeObjectEx

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 118KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pass 8864/Argon/fix exploit.bat
.bat .vbs
Pass 8864/Argon/message.bat
Pass 8864/Argon/runtimes/win-x64/native/WebView2Loader.dll
.dll windows:10 windows x64 arch:x64

Password: 8864

f6946d311bccc86e2042a388e375de41

Code Sign

33:00:00:03:fd:36:44:39:73:0d:dc:02:28:00:00:00:00:03:fd
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/08/2024, 19:26

Not After

20/08/2025, 19:26

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c6:09:cb:14:26:9b:b4:77:3c:29:88:04:e1:41:e3:69:ff:05:82:f6:7c:aa:90:16:0e:5e:6a:f3:0f:b3:26:3f
Signer

Actual PE Digest

c6:09:cb:14:26:9b:b4:77:3c:29:88:04:e1:41:e3:69:ff:05:82:f6:7c:aa:90:16:0e:5e:6a:f3:0f:b3:26:3f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

WebView2Loader.dll.pdb

Imports

kernel32

AcquireSRWLockExclusive
CloseHandle
CreateFileW
DeleteCriticalSection
EncodePointer
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetEnvironmentVariableW
GetFileAttributesW
GetFileType
GetLastError
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeSListHead
InterlockedFlushSList
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
MultiByteToWideChar
OutputDebugStringA
OutputDebugStringW
QueryPerformanceCounter
RaiseException
ReleaseSRWLockExclusive
RtlCaptureContext
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwindEx
RtlVirtualUnwind
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SleepConditionVariableSRW
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WakeAllConditionVariable
WideCharToMultiByte
WriteConsoleW
WriteFile

Exports

Exports

CompareBrowserVersions
CreateCoreWebView2Environment
CreateCoreWebView2EnvironmentWithOptions
GetAvailableCoreWebView2BrowserVersionString
GetAvailableCoreWebView2BrowserVersionStringWithOptions

Sections

.text
Size: 87KB - Virtual size: 87KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gxfg
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.retplne
Size: 512B - Virtual size: 140B

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: 8864

Password: 8864

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 227KB - Virtual size: 226KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:fe:6b:ce:da:d6:c8:03:03:a3:00:00:00:00:03:feCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

df:66:06:45:15:07:29:35:da:5f:7c:a3:94:98:40:6d:58:1a:dd:28:f0:b9:1a:cf:0b:c2:e9:86:37:c3:d8:42Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 577KB - Virtual size: 577KB

.rsrc Size: 1024B - Virtual size: 1000B

.reloc Size: 512B - Virtual size: 12B

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:fd:36:44:39:73:0d:dc:02:28:00:00:00:00:03:fdCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

de:4d:1c:f8:54:d7:85:23:84:36:b4:27:41:b1:40:9e:36:a9:21:96:5a:dd:18:e4:8d:6e:2f:7a:15:c5:e9:cfSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 25KB - Virtual size: 24KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:fe:6b:ce:da:d6:c8:03:03:a3:00:00:00:00:03:feCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

03:f1:25:f8:36:e0:4d:e9:31:22:51:61:0e:7e:4f:88:45:f2:f4:19:fe:a8:10:cd:07:f3:50:ff:ab:5b:1c:3fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 69KB - Virtual size: 68KB

.rsrc Size: 1024B - Virtual size: 984B

.reloc Size: 512B - Virtual size: 12B

Password: 8864

dae02f32a21e03ce65412f6e56942daa

Code Sign

06:ce:e1:31:be:6d:55:c8:07:f7:c0:c7:fb:44:e6:20Certificate

Key Usages

0a:de:32:e9:50:9b:44:aa:34:b1:da:f1:bc:0e:c8:73Certificate

Extended Key Usages

Key Usages

.text
Size: 227KB - Virtual size: 226KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

33:00:00:03:fe:6b:ce:da:d6:c8:03:03:a3:00:00:00:00:03:fe
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

df:66:06:45:15:07:29:35:da:5f:7c:a3:94:98:40:6d:58:1a:dd:28:f0:b9:1a:cf:0b:c2:e9:86:37:c3:d8:42
Signer

.text
Size: 577KB - Virtual size: 577KB

.rsrc
Size: 1024B - Virtual size: 1000B

.reloc
Size: 512B - Virtual size: 12B

33:00:00:03:fd:36:44:39:73:0d:dc:02:28:00:00:00:00:03:fd
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

de:4d:1c:f8:54:d7:85:23:84:36:b4:27:41:b1:40:9e:36:a9:21:96:5a:dd:18:e4:8d:6e:2f:7a:15:c5:e9:cf
Signer

.text
Size: 25KB - Virtual size: 24KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

33:00:00:03:fe:6b:ce:da:d6:c8:03:03:a3:00:00:00:00:03:fe
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

03:f1:25:f8:36:e0:4d:e9:31:22:51:61:0e:7e:4f:88:45:f2:f4:19:fe:a8:10:cd:07:f3:50:ff:ab:5b:1c:3f
Signer

.text
Size: 69KB - Virtual size: 68KB

.rsrc
Size: 1024B - Virtual size: 984B

.reloc
Size: 512B - Virtual size: 12B

06:ce:e1:31:be:6d:55:c8:07:f7:c0:c7:fb:44:e6:20
Certificate

0a:de:32:e9:50:9b:44:aa:34:b1:da:f1:bc:0e:c8:73
Certificate

0c:d1:40:7a:5a:bd:ed:43:d5:c1:73:12:1d:38:c5:29
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

38:27:11:d0:35:02:fc:58:64:ae:1e:6c:cb:c5:eb:67:eb:5d:dc:c8:86:9e:e4:59:cc:0d:02:0e:5f:d1:fc:9b
Signer

.text
Size: 681KB - Virtual size: 680KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 4.5MB - Virtual size: 4.5MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 45KB - Virtual size: 63KB

.pdata
Size: 177KB - Virtual size: 176KB

.fptable
Size: 512B - Virtual size: 256B

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 46KB - Virtual size: 46KB